[BUG] Bash deny rules appear non-recursive for nested execution contexts ($(), backticks, subshell, eval, PowerShell wrapper)

Resolved 💬 4 comments Opened Mar 27, 2026 by Pro777 Closed Apr 26, 2026

Summary

Potential policy-enforcement gap in Claude Code 2.1.78: deny matching may not recursively evaluate inner payloads when execution is routed through wrapper shell invocations.

This report intentionally omits operational reproduction payloads in public.

Scope (public)

  • Top-level chain operators (&&, ;, ||, |) are not the current claim.
  • Current claim is limited to wrapper-mediated inner-command evaluation under specific allow/deny combinations.

Observed Risk

A command intended to be denied can still execute when embedded in an allowed wrapper path, producing a policy trust/control mismatch.

Evidence Status

Validated on reporter side with:

  • command transcript logs
  • policy decision artifacts (permission_denials state)
  • before/after file-state receipts

Full reproduction details and artifacts are available for maintainer/security review via private channel.

Requested handling

If maintainers want full PoC, please provide preferred private intake route and I will share the complete reproducible bundle immediately.

Related context

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗